WO2022042746A1

WO2022042746A1 - Key management method and apparatus

Info

Publication number: WO2022042746A1
Application number: PCT/CN2021/115727
Authority: WO
Inventors: 王东临
Original assignee: 北京书生网络技术有限公司
Priority date: 2020-08-31
Filing date: 2021-08-31
Publication date: 2022-03-03
Also published as: US20230208634A1

Abstract

Provided are a key management method and apparatus. The key management method comprises: acquiring the authorization of a user by means of a first identity authentication mode, so as to generate a first authentication encryption key, wherein the first identity authentication mode is used for logging in with a digital identity; and encrypting at least one role decryption key by using the first authentication encryption key, so as to obtain at least one initial encrypted role decryption key corresponding to the first identity authentication mode, wherein the at least one role decryption key corresponds to at least one role of the digital identity on a one-to-one basis, and is used for decrypting at least one encrypted target key, so as to obtain at least one target key. By means of the technical solution of the present application, an identity authentication mode can be associated with a target key, thereby facilitating the process of managing and using a target key.

Description

Key management method and device

technical field

The present application relates to the field of encryption technology, and in particular to a key management method and device.

Background of the Invention

With the growth of blockchain technology, more and more investors are beginning to come into contact with digital currencies. However, the keys used to manage digital currency are often very difficult to remember due to the large number of digits and irregularities, which has become a threshold for the popularization of digital currency. In order to allow users to keep keys more conveniently and securely, some solutions have emerged in the market in recent years. However, there has never been a solution that can really relieve the pressure of users in key management.

At the same time, the Internet of Things is developing rapidly, and more and more products in life are beginning to realize intelligent management. However, all kinds of smart products cause users to manage many scattered accounts, which makes users feel inconvenient. If mismanagement occurs, it may even bring security risks to users' assets.

SUMMARY OF THE INVENTION

In view of this, in order to solve the above-mentioned problems faced by users in asset management in the prior art, the embodiments of the present application provide a key management method and apparatus.

According to a first aspect of the embodiments of the present application, a key management method is provided, including: obtaining a user's authorization through a first identity authentication method to generate a first authentication encryption key, wherein the first identity authentication method is used for Log in to the digital identity; use the first authentication encryption key to encrypt at least one role decryption key, and obtain at least one initial encrypted role decryption key corresponding to the first identity authentication method, wherein at least one role decryption key is associated with the digital identity. At least one role is in one-to-one correspondence, and is used for decrypting at least one encrypted target key to obtain at least one target key.

According to a second aspect of the embodiments of the present application, a key management method is provided, including: obtaining a first authentication and decryption key corresponding to a first identity authentication method of a digital identity; obtaining a second identity authentication method to be added to the digital identity the corresponding second authentication encryption key; use the first authentication decryption key to decrypt the initially encrypted first role decryption key corresponding to the first identity authentication method to obtain the first role decryption key; use the second authentication encryption key Encrypt the first character decryption key to obtain the initial encrypted first character decryption key corresponding to the second identity authentication method, wherein the first character decryption key corresponds to the first character in at least one character of the digital identity, and uses Decrypt the encrypted first target key to obtain the first target key.

According to a third aspect of the embodiments of the present application, a key management device is provided, including: a first acquisition module, configured to acquire a user's authorization through a first identity authentication method to generate a first authentication encryption key, wherein, The first identity authentication method is used to log in the digital identity; the first encryption module is used to encrypt at least one character decryption key by using the first authentication encryption key, and obtain at least one initial encrypted character decryption key corresponding to the first identity authentication method. At least one character decryption key corresponds to at least one character of the digital identity one-to-one, and is used to decrypt at least one encrypted target key to obtain at least one target key.

According to a fourth aspect of the embodiments of the present application, a key management device is provided, including: a first acquisition module for acquiring a first authentication and decryption key corresponding to a first identity authentication method of a digital identity; a second acquisition module , used to obtain the second authentication encryption key corresponding to the second identity authentication method to which the digital identity is to be added; the first decryption module is used to use the first authentication decryption key to initially encrypt the first role corresponding to the first identity authentication method The decryption key is decrypted to obtain the first character decryption key; the first encryption module is used to encrypt the first character decryption key by using the second authentication encryption key to obtain the initial encrypted first character corresponding to the second identity authentication method. A character decryption key, wherein the first character decryption key corresponds to the first character in at least one character of the digital identity, and is used to decrypt the encrypted first target key to obtain the first target key.

According to a fifth aspect of the embodiments of the present application, an electronic device is provided, including: a processor; and a memory, wherein the memory is used to store instructions executable by the processor, and when the instructions are executed by the processor, the instructions cause the processor to execute the above The key management method provided by the first aspect or the second aspect.

According to a sixth aspect of the embodiments of the present application, a computer-readable storage medium is provided, including computer instructions stored thereon, and when executed by a processor, the computer instructions cause the processor to perform the above-mentioned first aspect or the second aspect The provided key management method.

The embodiments of the present application provide a key management method and device, by generating a first authentication encryption key corresponding to a first identity authentication method, and using the first authentication encryption key to perform at least one role decryption key under a digital identity. encryption, wherein at least one role decryption key is used to decrypt the encrypted target key to obtain at least one target key, so that the identity authentication method can be associated with the target key, which facilitates the management and use of the target key Process.

Brief Description of Drawings

FIG. 1 is a schematic diagram of a system architecture of a key management system provided by an exemplary embodiment of the present application.

FIG. 2 is a schematic flowchart of a key management method provided by an exemplary embodiment of the present application.

FIG. 3 is a schematic flowchart of a key management method provided by another exemplary embodiment of the present application.

FIG. 4 is a schematic flowchart of a key management method provided by another exemplary embodiment of the present application.

FIG. 5 is a schematic flowchart of a key management method provided by another exemplary embodiment of the present application.

FIG. 6 is a schematic flowchart of a key management method provided by another exemplary embodiment of the present application.

FIG. 7 is a schematic flowchart of a key management method provided by another exemplary embodiment of the present application.

FIG. 8 is a schematic flowchart of a key management method provided by another exemplary embodiment of the present application.

FIG. 9 is a schematic flowchart of a key management method provided by another exemplary embodiment of the present application.

FIG. 10 is a schematic structural diagram of a key management apparatus provided by an exemplary embodiment of the present application.

FIG. 11 is a schematic structural diagram of a key management apparatus provided by another exemplary embodiment of the present application.

FIG. 12 is a block diagram of an electronic device for key management provided by an exemplary embodiment of the present application.

MODES OF IMPLEMENTING THE INVENTION

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application. Obviously, the described embodiments are only a part of the embodiments of the present application, but not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.

Application overview

In the prior art, a key is an identity authentication method for machines, not for humans. The key can be used to manage digital currency, or it can be used to perform a certain intelligent operation (such as the switch of a smart door lock, etc.), which can be set according to the user's needs. However, in the process of using the existing keys, there are various problems. For example, in order to improve security, the length of the key is designed to be very long, which will cause users to easily forget the key; for different digital currencies or intelligent operations, there may be multiple different keys, causing users to be easily confused Various keys; keys are easily stolen during use. These problems make the overall security and convenience of the key in the process of use low.

Exemplary System

FIG. 1 is a schematic diagram of a system architecture of a key management system provided by an exemplary embodiment of the present application, which shows an application scenario of performing key management through an electronic device. As shown in FIG. 1 , the key management system 1 includes an electronic device 10 and a server 20 . The electronic device 10 can obtain the authorization of the user through the first identity authentication method to generate the first authentication encryption key and the first authentication decryption key, encrypt the character key based on the first authentication encryption key, and encrypt the encrypted character The key is stored in the server 20 to realize the process of creating the digital identity or the process of adding the first identity authentication method of the digital identity. Further, by obtaining the encrypted character key from the server 20 and decrypting it, the electronic device 10 can implement the process of managing or using the character key.

In another embodiment, the electronic device 10 may obtain the authorization of the user through the first identity authentication method to generate the first authentication encryption key and the first authentication decryption key, and encrypt the role key based on the first authentication encryption key , and save the encrypted character key in the electronic device 10, so as to realize the creation process of the digital identity or the adding process of the first identity authentication method of the digital identity. Further, by decrypting the encrypted character key, the electronic device 10 can implement the process of managing or using the character key.

Here, the electronic device 10 may be a mobile device, such as a mobile phone, a game console, a tablet computer, a camera, a video camera, a car computer, etc.; it may also be a computer, such as a notebook computer, a desktop computer, etc.; it may also be other devices including a processor and a memory Electronic equipment. When the electronic device 10 is selected from the aforementioned various possible options, the first identity authentication method may be a method of performing identity authentication on the user through an existing information of the user, and the existing information may be a third-party platform held by the user The account, for example, may be an account corresponding to an application program installed on the electronic device 10 by the user, or the like.

It should be noted that the above application scenarios are only shown for the convenience of understanding the spirit and principle of the present application, and the embodiments of the present application are not limited thereto. Rather, the embodiments of the present application can be applied to any scenario that may be applicable.

Exemplary method

FIG. 2 is a schematic flowchart of a key management method provided by an exemplary embodiment of the present application. The method in FIG. 2 may be executed by an electronic device, such as a mobile phone, and may be executed by a client corresponding to a digital identity on the electronic device. As shown in FIG. 2 , the key management method involves a process of creating a digital identity or a process of adding a first identity authentication method (first identity authentication method) of the digital identity, which specifically includes the following contents.

S210: Obtain the authorization of the user through a first identity authentication method to generate a first authentication encryption key, wherein the first identity authentication method is used for logging in a digital identity.

The user can realize the creation process of the digital identity through the first identity authentication method, or the digital identity is created in advance, and the user can add the first identity authentication method to the digital identity.

In one embodiment, the digital identity may be created in advance and is an empty digital identity. In the process of adding the first identity authentication method to the digital identity, at least one role can be set for the digital identity, and each role corresponds to different permissions for managing or using different digital currencies, or performing different intelligent operations .

In one embodiment, multiple roles are created for the digital identity through the first identity authentication method. After the digital identity is created, the user can log in to the digital identity through the first identity authentication method, and can use the permissions corresponding to any role to perform corresponding operations.

Further, the user can also add other identity authentication methods to the digital identity through the first identity authentication method. Any identity authentication method can log in to the digital identity, and different identity authentication methods can use permissions corresponding to different roles.

The identity authentication method can be a way of authenticating the user through an existing information of the user. Here, the existing information of the user can include the third-party platform account, identity authentication chip, and human biometrics held by the user. , terminal system accounts, etc. Among them, the third-party platform account can be the social platform account, shopping platform account, financial platform account, mobile phone number account, network service account, intelligent IoT platform account held by the user, such as: WeChat account, Microsoft account, Taobao account accounts, mobile banking accounts, etc. It should be understood that the embodiments of the present application do not limit the specific type of the user's existing information.

It should be understood that the term "user" used in this application is not limited to natural persons, but may also include, for example, machines, monkeys, virtual identities, organizations, etc. This application does not limit the real identity of users.

In an embodiment, the electronic device may generate a first authentication decryption key and a first authentication encryption key corresponding to the first identity authentication method based on the first identity authentication method. The authentication decryption key and the authentication encryption key can be used to verify the identity authentication method, so that the user can use the authority corresponding to the identity authentication method.

The authenticated decryption key and the authenticated encryption key can be symmetric or asymmetric. The authentication encryption key may be the authentication public key, and the authentication decryption key may be the authentication private key.

When the authentication decryption key and the authentication encryption key are symmetric keys, they are the same; when the authentication decryption key and the authentication encryption key are asymmetric keys, they are different.

The first authentication and decryption key can be stored locally (electronic device) or on the server side.

S220: Encrypt at least one character decryption key with the first authentication encryption key to obtain at least one initial encrypted character decryption key corresponding to the first identity authentication method, wherein at least one character decryption key and at least one of the digital identity The roles are in one-to-one correspondence, and are used to decrypt at least one encrypted target key to obtain at least one target key.

In one embodiment, at least one target key is used to manage assets corresponding to at least one role, respectively. When multiple roles are created for the digital identity through the first identity authentication method, a corresponding role decryption key can be generated for each role. Each character decryption key may correspond to one or more target keys, and is used to decrypt the encrypted target keys to obtain corresponding target keys.

Specifically, the character decryption key may be randomly generated by the electronic device. Here, when multiple roles are created for the digital identity through the first identity authentication method, a corresponding role encryption key may also be generated for each role. Similar to authentication keys, role decryption keys and role encryption keys can be symmetric or asymmetric keys.

In another embodiment, the character decryption key may be generated on the server side.

Specifically, a digital identity may have at least one asset, such as an account number of digital currency, an account number of various login methods, and the like. Among them, each asset has an associated target key for managing the corresponding asset. The encrypted target key can be stored on the server or locally.

When a digital identity has only one role, that is, the first role, the first role can have the management authority for all assets held by the digital identity; when a digital identity contains multiple roles, different roles in the multiple roles can respectively have Management rights for different assets in the assets held by the digital identity. For example, a digital identity can include a first role and a second role, where the first role has the authority to manage WeChat accounts, Weibo accounts and bus cards, and the second role has the authority to manage smart door locks and digital currency accounts.

Further, when a role is given management authority for at least one asset, at least one target key corresponding to at least one asset within its management authority can be encrypted with the role encryption key corresponding to the role, and then obtain At least one encrypted target key and stored in the digital identity. For example, the target key of the asset corresponding to the first character is encrypted using the first character encryption key to obtain the encrypted target key. In this way, after the electronic device obtains the character decryption key, it can use the character decryption key to decrypt the encrypted target key, thereby obtaining the target key.

Preferably, in another embodiment, after obtaining the target key, the electronic device may further use the target key to manage the assets corresponding to the target key according to the user's instruction. For example, when the target key is the key of a digital currency account, the user can issue an operation instruction for checking the balance of the digital currency account. After receiving the operation instruction, the electronic device can find the corresponding encrypted target key, and decrypt it using the first character decryption key to obtain the target key and execute the operation instruction issued by the user.

The embodiment of the present application provides a key management method, by generating a first authentication encryption key corresponding to a first identity authentication method, and using the first authentication encryption key to encrypt at least one role decryption key under a digital identity, Wherein, at least one role decryption key is used to decrypt the encrypted target key to obtain at least one target key, so that the identity authentication method can be associated with the target key, which facilitates the management and use of the target key.

FIG. 3 is a schematic flowchart of a key management method provided by another exemplary embodiment of the present application. On the basis of the embodiment shown in FIG. 2 of the present application, the embodiment shown in FIG. 3 of the present application is extended. The following focuses on the differences between the embodiment shown in FIG. 3 and the embodiment shown in FIG. 2 , and the similarities will not be repeated. .

As shown in FIG. 3 , on the basis of the embodiment shown in FIG. 2 , the key management method provided by the embodiment of the present application further includes the following content.

S230: Generate a third storage key based on the identity authentication information corresponding to the first identity authentication manner.

S240: Generate a first authentication decryption key corresponding to the first authentication encryption key.

S245: Encrypt the first authentication and decryption key with the third storage key to obtain the encrypted first authentication and decryption key.

In this embodiment, encrypting the first authentication and decryption key can ensure the security of the process of obtaining the first authentication and decryption key, thereby improving the security of the entire target key management and use process. The encrypted first authentication and decryption key may be stored locally. Here, the third storage key may be used to encrypt the first authentication and decryption key. The third storage key may be a symmetric key or an asymmetric key.

In one embodiment, the identity authentication information is non-public identity authentication information, and the third storage key may be generated based on the non-public identity authentication information and the parent names of the users corresponding to the first identity authentication method. For example, the non-public identity authentication information is WeChat ID. Tencent's core employees may know WeChat ID, and users' relatives and friends may know their parents' names, but the two basically do not overlap, so the security of key management can be improved and the keys can be effectively prevented from being stolen.

In an embodiment, as shown in FIG. 3 , the key management method further includes the following content.

S250: Submit the encrypted first authentication and decryption key to the server.

Specifically, the encrypted first authentication and decryption key may be stored in a key database on the server side.

S255: Submit at least one initial encryption role decryption key to the server.

Specifically, at least one initial encryption role decryption key may be stored in the user database on the server side.

In order to reduce the risk of leakage of the third storage key, the electronic device may generate the third storage key based on the first identity authentication method, or may associate the generated third storage key with the first identity authentication method and save it, So that the electronic device can obtain the third storage key only when the user logs in the digital identity through the first identity authentication method. For example, the electronic device may calculate and obtain the third storage key based on the first identity authentication information, or the electronic device may randomly generate the third storage key and store it in the corresponding cloud of the first identity authentication method.

Specifically, when creating the first identity authentication method, the electronic device may send an account creation request to the server, so that the server creates a first key database account for logging in to the key database. The first key database account corresponds to the first identity authentication method, and is used to store the encrypted first authentication and decryption key. Here, the first key database account may have a pair of account numbers and passwords, that is, the first login account and the first login password, and the electronic device may log in to the key database according to the first login account and the first login password and obtain data therefrom. It should be understood that the first login account and the first login password may be generated by the electronic device and then sent to the server, or may be directly generated by the server, which are not limited in the embodiments of the present application.

The electronic device can calculate and obtain the first login account and the first login password according to the first identity authentication method, and can also obtain the pre-stored first login account and first login password by logging in to the corresponding cloud of the first identity authentication method, and can also obtain the first login account and the first login password from the corresponding cloud. The first login account and the first login password associated with the first identity authentication method are directly obtained locally.

It should be understood that the embodiments of the present application do not limit the specific generation and storage methods of the first login account and the first login password.

Further, the decryption key of the initial encryption role is stored in the user database on the server side, and the connection between the user database and the key database may be clear only on the electronic device side, but not on the backend server side. In this way, the initial encryption role is obtained when accessing the user database. When decrypting the key, the staff on the background server side does not know which user the decryption key of the initial encryption role being accessed corresponds to, so the security of the key acquisition process can be further improved.

The foregoing step S255 may be performed in any step between steps S220 to S250, which is not limited in this embodiment of the present application.

Optionally, the encrypted first authentication decryption key and/or the initial encryption role decryption key are stored locally, which can implement a key management process that is semi-dependent or independent of the server.

FIG. 4 is a schematic flowchart of a key management method provided by another exemplary embodiment of the present application. On the basis of the embodiment shown in FIG. 2 of the present application, the embodiment shown in FIG. 4 of the present application is extended. The following focuses on the differences between the embodiment shown in FIG. 4 and the embodiment shown in FIG. 2 , and the similarities will not be repeated. .

As shown in FIG. 4 , on the basis of the embodiment shown in FIG. 2 , the key management method provided by the embodiment of the present application further includes the following content.

S260: Randomly generate at least one character encryption key.

S265: Encrypt at least one target key with at least one role encryption key, respectively, to obtain at least one encrypted target key.

S270: Save at least one encrypted target key locally.

Specifically, the electronic device can set multiple roles for the digital identity through the first identity authentication method, and generate a corresponding role encryption key for each role. The character encryption key can be randomly generated, or generated based on specific information or a specific algorithm. The generation process of the character encryption key may be set as required, which is not limited in this embodiment of the present application.

The target key can be preset, and the target key encrypted by the role encryption key can be stored locally.

In this embodiment, step S260 may generate a character encryption key and a character decryption key at the same time, and both may be asymmetric keys. In other embodiments, the character encryption key and the character decryption key may be generated by the server, and the encrypted target key may also be stored at the server.

The foregoing step S260 may be performed before or after the step S220, or both may be performed simultaneously, which is not limited in this embodiment of the present application.

According to an embodiment of the present application, at least one role includes a first role and a second role, the digital identity includes a first permission level and a second permission level, the first permission level is lower than the second permission level, and the first permission level has the ability to manage the first permission level. A role corresponds to the authority of the asset, the second authority level has the authority to manage the first role and the assets corresponding to the second role, and the first identity authentication method corresponds to the first authority level, wherein at least one role is decrypted by using the first authentication encryption key encrypting the key to obtain at least one initial encryption character decryption key corresponding to the first identity authentication method (S220), including: using the first authentication encryption key to decrypt the first character decryption key and the second character corresponding to the first character The corresponding second role decryption key is encrypted, and the initial encrypted first role decryption key and the initial encrypted second role decryption key corresponding to the first identity authentication method are obtained, so as to add a second authority level through the first identity authentication method. the second authentication method.

In this embodiment, the first identity authentication method is the first identity authentication method under the digital identity, and other identity authentication methods may be added to the digital identity through the first identity authentication method. That is, after the adding process, the digital identity can correspond to multiple identity authentication methods, and the multiple identity authentication methods can correspond to the same user or different users.

A digital identity may include multiple permission levels, and each permission level in the multiple permission levels has the permission to manage assets corresponding to at least one role among the multiple roles.

Specifically, a digital identity can be divided into all the corresponding identity authentication methods according to the authority level, so that each identity authentication method has its own authority level, so that the identity authentication method has the asset management of at least one role corresponding to the corresponding authority level permissions.

For example, the first identity authentication method may correspond to the first authority level among the multiple authority levels, and the first authority level may have the authority to manage the assets corresponding to the first role, and users who log in to the digital identity through the first identity authentication method can Manage the assets corresponding to the first role; the second identity authentication method can correspond to the second permission level in multiple permission levels, and the second permission level can have the permission to manage the assets corresponding to the first role and the second role, then pass the first permission level. Users who log in to their digital identities by means of two-identity authentication can manage the assets corresponding to the first role and the second role at the same time.

In practical applications, each identity authentication method may have a corresponding authentication encryption key and an authentication decryption key. For example, the first identity authentication method may correspond to the first authentication encryption key and the first authentication decryption key. When the first authority level is assigned to the first identity authentication method, the first authentication encryption key may be used to encrypt the first character decryption key corresponding to the first authority level to obtain the initial encrypted first character decryption key. In this way, when the user logs in to the digital identity through the first identity authentication method, the electronic device can obtain the first authentication decryption key, find the initial encryption first character decryption key, and use the first authentication decryption key to perform the initial encryption decryption key. A character decryption key is decrypted to obtain a first character decryption key. For another example, when a second authority level is assigned to the second identity authentication method, the second authentication encryption key can be used to encrypt the first role decryption key and the second role decryption key corresponding to the second authority level, respectively, to obtain: The first character decryption key is initially encrypted and the second character decryption key is initially encrypted. Similarly, when the user logs in to the digital identity through the second identity authentication method, the electronic device can obtain the second authentication decryption key, and find the initial encrypted first character decryption key and/or the initial encrypted second character decryption key according to the user's needs. and decrypt the initially encrypted first character decryption key and/or the initially encrypted second character decryption key using the second authentication decryption key to obtain the first character decryption key and/or the second character decryption key.

It should be understood that the specific division and corresponding manner of assets, roles, and authority levels can be set by those skilled in the art according to actual needs, and can also be set by users in the system, which is not limited by the embodiments of the present application.

In this embodiment, since the first identity authentication method is the first identity authentication method under the digital identity, other identity authentication methods that follow need to be added through the first identity authentication method. Specifically, when a second identity authentication method with a second authority level is added to the digital identity, in order to improve the security of the key management process, it is necessary to log in to the digital identity through the first identity authentication method to obtain the first role decryption key and The second character decryption key is used to encrypt the first character decryption key and the second character decryption key by using the second authentication encryption key corresponding to the second identity authentication method to obtain the initial encryption corresponding to the second identity authentication method. The first character decryption key and the initially encrypted second character decryption key.

In one embodiment, the authority level of each identity authentication method may be given by the user, or may be determined by the attributes of the identity authentication method. For example, the authority level of the "fingerprint" identity authentication method is higher than that of the "WeChat" identity authentication method.

In one embodiment, since the first identity authentication method is the first identity authentication method under the digital identity, in order to facilitate adding a second identity authentication method with a higher authority level than it, the first identity authentication method under the digital identity can be Has the highest authority level (eg, the second authority level). Or, the first identity authentication method under the digital identity has a low authority level (for example, the first authority level), but temporarily has the authority to obtain decryption keys for all roles, and the second identity authentication method with the second authority level is added. After that, the first identity authentication method restores the first authority level.

The process of adding a second identity authentication method to a digital identity by using the first identity authentication method will be described in detail below.

FIG. 5 is a schematic flowchart of a key management method provided by another exemplary embodiment of the present application. The method in FIG. 5 may be executed by an electronic device, such as a mobile phone, and may be executed by a client corresponding to a digital identity on the electronic device. As shown in FIG. 5 , the key management method involves a process of adding a second identity authentication method to a digital identity through a first identity authentication method, and specifically includes the following contents.

S510: Obtain a first authentication and decryption key corresponding to the first identity authentication method of the digital identity.

Specifically, the user can log in to the digital identity through the first identity authentication method.

In one embodiment, the first authentication and decryption key can be obtained directly from the local or the server; in another embodiment, the encrypted first authentication and decryption key can be obtained from the local or the server, and the third storage The key decrypts it to obtain the first authenticated decryption key.

S520: Obtain a second authentication encryption key corresponding to the second identity authentication method to be added to the digital identity.

In one embodiment, the second authentication decryption key may also be generated at the same time as the second authentication encryption key is generated. For the generation process of the second authentication encryption key and the second authentication decryption key, refer to the generation process of the first authentication encryption key and the first authentication decryption key, that is, refer to the description of the embodiment in FIG. 2 above. To avoid repetition, It will not be repeated here.

When the second identity authentication method and the first identity authentication method correspond to the same user, the second identity authentication method and the first identity authentication method may correspond to the same electronic device. The acquisition process can be directly generated on the electronic device side.

When the second identity authentication method and the first identity authentication method correspond to different users, the second identity authentication method and the first identity authentication method correspond to different electronic devices, and the acquisition of the second authentication encryption key and the second authentication decryption key at this time The process may be that the electronic device corresponding to the first identity authentication method receives the second authentication encryption key and the second authentication decryption key sent by the electronic device corresponding to the second identity authentication method, the second authentication encryption key and the second authentication encryption key. The decryption key is generated on the side of the electronic device corresponding to the second identity authentication method.

S530: Decrypt the initially encrypted first character decryption key corresponding to the first identity authentication mode by using the first authentication decryption key, to obtain the first character decryption key.

Specifically, the digital identity may correspond to at least one role, and each role corresponds to a role decryption key. According to the preset management authority of the second identity authentication method, the corresponding role decryption key is obtained by using the first authentication decryption key. The preset management authority here may be set according to the user's will. When at least one role is multiple roles, the user may preset the second identity authentication method to have the authority to manage assets corresponding to any one or several roles among the multiple roles.

S540: Encrypt the first character decryption key by using the second authentication encryption key to obtain the initially encrypted first character decryption key corresponding to the second identity authentication method.

The first character decryption key corresponds to the first character in at least one character of the digital identity, and is used for decrypting the encrypted first target key to obtain the first target key.

In one embodiment, the second authentication decryption key is used to decrypt the initially encrypted first character decryption key corresponding to the second identity authentication method to obtain the first character decryption key. The first target key is used to manage assets corresponding to the first role.

When the second identity authentication method and the first identity authentication method correspond to the same user, the second identity authentication method and the first identity authentication method may correspond to the same electronic device, and at this time, the electronic device may encrypt the initial encryption corresponding to the second identity authentication method The first character decryption key is stored in the client and/or server corresponding to the second identity authentication method.

When the second identity authentication method and the first identity authentication method correspond to different users, the second identity authentication method and the first identity authentication method correspond to different electronic devices, and the electronic device corresponding to the first identity authentication method can authenticate the second identity The initial encrypted first character decryption key corresponding to the method is sent to the electronic device and/or the server corresponding to the second identity authentication method.

The embodiment of the present application provides a key management method. By adding a second identity authentication method to a digital identity through a first identity authentication method, the classified management of keys can be realized, and the diversification of the key management process can be realized.

According to an embodiment of the present application, the first identity authentication method corresponds to the first authority level among the multiple authority levels of the digital identity, the second identity authentication method corresponds to the second authority level among the multiple authority levels, and the first authority level has management The authority of the asset corresponding to the first role, wherein, before using the first authentication decryption key to decrypt the initially encrypted first role decryption key corresponding to the first identity authentication method, the key management method further includes: determining the second identity The second permission level of the authentication method.

Specifically, in the process of adding the second identity authentication method to the electronic device corresponding to the first identity authentication method, the second authority level of the second identity authentication method may be set by the user corresponding to the first identity authentication method, or may be set by the user corresponding to the first identity authentication method. The setting of the user corresponding to the second identity authentication method may also be determined by the properties of the second identity authentication method.

According to an embodiment of the present application, the first authority level is higher than the second authority level, the first authority level also has the authority to manage assets corresponding to the second role in at least one role, and the second authority level has the authority to manage the assets corresponding to the first role. permissions.

In this embodiment, a second identity authentication method with a lower authority level than the first identity authentication method may be added. Before adding the second identity authentication method, the first identity authentication method may be the only identity authentication method under the digital identity, or may be one identity authentication method among multiple identity authentication methods under the digital identity.

FIG. 6 is a schematic flowchart of a key management method provided by another exemplary embodiment of the present application. On the basis of the embodiment shown in FIG. 5 of the present application, the embodiment shown in FIG. 6 of the present application is extended. The following focuses on the differences between the embodiment shown in FIG. 6 and the embodiment shown in FIG. 5 , and the similarities will not be repeated. .

In this embodiment, the first authority level is equal to the second authority level, and the first authority level also has the authority to manage the assets corresponding to the second role in the at least one role, wherein, as shown in FIG. 6 , the key management method further Include the following.

S561: Decrypt the initially encrypted second role decryption key corresponding to the first identity authentication mode by using the first authentication decryption key to obtain the second role decryption key.

S562: Encrypt the second character decryption key with the second authentication encryption key to obtain the initially encrypted second character decryption key corresponding to the second identity authentication method.

The second authentication decryption key is also used to decrypt the initially encrypted second role decryption key corresponding to the second identity authentication method to obtain the second role decryption key, and the second role decryption key corresponds to the second role and is used for Decrypt the encrypted second target key to obtain the second target key, and the second target key is used to manage the assets corresponding to the second role.

Here, step S561 may be performed simultaneously with step S530, and step S562 may be performed simultaneously with step S540.

In this embodiment, the first identity authentication method may be added with a second identity authentication method equal to its authority level.

FIG. 7 is a schematic flowchart of a key management method provided by another exemplary embodiment of the present application. On the basis of the embodiment shown in FIG. 5 of the present application, the embodiment shown in FIG. 7 of the present application is extended. The following focuses on the differences between the embodiment shown in FIG. 7 and the embodiment shown in FIG. 5 , and the similarities will not be repeated. .

In this embodiment, before adding the second identity authentication method, the first identity authentication method is the only authentication method under the digital identity, the first authority level is lower than the second authority level, and the second authority level has the management first role and The authority of the assets corresponding to the second role in the at least one role, and the first identity authentication method with the first authority level has the authority to manage the assets corresponding to the first role, wherein, as shown in FIG. 7 , the key management method also includes the following content.

S571: Generate a second character decryption key.

Specifically, the second character decryption key may be generated by the electronic device, for example, generated by the client corresponding to the digital identity; or generated by the server and sent to the electronic device.

S572: Encrypt the second character decryption key by using the second authentication encryption key to obtain the initially encrypted second character decryption key corresponding to the second identity authentication method.

Specifically, in some embodiments, the execution subject of step S571 and step S572 may be an electronic device corresponding to the first identity authentication method. The second role decryption key may be generated by the electronic device corresponding to the first identity authentication method; or the second role decryption key may be generated by the server, and the electronic device corresponding to the first identity authentication method obtains the second role decryption key from the server. Alternatively, the second role decryption key may be generated by an electronic device corresponding to the second identity authentication method, and the electronic device corresponding to the first identity authentication method obtains the second role decryption key from the electronic device corresponding to the second identity authentication method. The initially encrypted second role decryption key corresponding to the second identity authentication method may be stored in the electronic device or server side corresponding to the second identity authentication method.

In other embodiments, the execution subject of at least one of steps S571 and S572 may be an electronic device or a server side corresponding to the second identity authentication method. The initially encrypted second role decryption key corresponding to the second identity authentication method may be stored in the electronic device or server side corresponding to the second identity authentication method.

In one embodiment, when a digital identity corresponds to multiple identity authentication methods, an identity authentication method with a lower authority level among the multiple identity authentication methods cannot be added to an identity authentication method with a higher authority level, and multiple identity authentication methods are required. Add the authentication methods that are lower than or equal to the high-privilege level in the high-privilege level. In this embodiment, since the first identity authentication method is the only identity authentication method, when an identity authentication method with a higher authority level is added, the first role decryption key can be obtained through the first identity authentication method, and then the authority can be given The high-level identity authentication method obtains the authority of the decryption key of the first role, and at the same time, the authorization of obtaining the decryption key of the second role can be given to the identity authentication method with a high authority level by generating the second role's decryption key.

An exemplary embodiment of the present application provides a key management method, which can be executed by an electronic device, such as a mobile phone, and specifically can be executed by a client corresponding to a digital identity on the electronic device. The key management method involves the process of changing the authority level of the third identity authentication method through the first identity authentication method, and specifically includes: deleting the initially encrypted second role decryption key corresponding to the third identity authentication method, so as to reduce the third identity authentication method. the permission level of the method.

The digital identity includes at least a first identity authentication method and a third identity authentication method. The first identity authentication method corresponds to the first authority level among the multiple authority levels of the digital identity, and the third identity authentication method corresponds to the first authority level among the multiple authority levels. Three permission levels, the third permission level is equal to or lower than the first permission level, and the third permission level has the permission to manage the assets corresponding to the first role and the second role of the at least one role.

If the third identity authentication method and the first identity authentication method correspond to the same electronic device of the same user, the initial encrypted second character decryption key corresponding to the third identity authentication method is stored on the electronic device, and the electronic device can directly access the same electronic device through the electronic device. to delete. If the third identity authentication method and the first identity authentication method correspond to different users, the initial encrypted second role decryption key corresponding to the third identity authentication method is stored on the electronic device corresponding to the third identity authentication method, and the first identity authentication method can pass the first identity authentication. The electronic device corresponding to the method sends an instruction to the electronic device corresponding to the third identity authentication method to delete it. If the initially encrypted second role decryption key corresponding to the third identity authentication method is stored locally, the electronic device directly deletes it. If the initially encrypted second role decryption key corresponding to the third identity authentication method is stored on the server side, the electronic device corresponding to the first identity authentication method deletes it by sending an instruction to the server side.

In this embodiment, by deleting the initially encrypted second role decryption key corresponding to the third identity authentication method to reduce the authority level of the third identity authentication method, only the key corresponding to the third identity authentication method can be involved, and the Keys corresponding to other authentication methods are not affected. The method can be better applied to the situation where there are many identity authentication methods corresponding to digital identities, and can quickly reduce the authority level of the third identity authentication method.

In another embodiment, the third identity authentication method may be deleted from the digital identity by further deleting the initially encrypted first character decryption key corresponding to the third identity authentication method.

The deletion process of the initially encrypted first role decryption key corresponding to the third identity authentication method is similar to the deletion process of the initially encrypted second role decryption key corresponding to the third identity authentication method described above.

FIG. 8 is a schematic flowchart of a key management method provided by another exemplary embodiment of the present application. The method in FIG. 8 may be executed by an electronic device, such as a mobile phone, and may be executed by a client corresponding to a digital identity on the electronic device. As shown in FIG. 8 , the key management method involves the process of changing the authority level of the third identity authentication method through the first identity authentication method, and specifically includes the following contents.

S810: Generate a new second character decryption key.

S820: Encrypt the new second role decryption key by using the first authentication encryption key corresponding to the first authentication decryption key to obtain a new initially encrypted second role decryption key corresponding to the first identity authentication method, so as to reduce the The authority level of the third identity authentication method.

The first authentication decryption key is used to decrypt the new initially encrypted second role decryption key corresponding to the first identity authentication method, to obtain a new second role decryption key, and the new second role decryption key is the same as the second role decryption key. Corresponding roles, used to decrypt the encrypted second target key to obtain the second target key, and the second target key is used to manage the assets corresponding to the second role.

In this embodiment, by generating a new role decryption key to reduce the authority level of the third identity authentication method, the key corresponding to the third identity authentication method may not be involved. The method can be better applied to the situation where there are few identity authentication methods corresponding to digital identities, can avoid interaction between the two identity authentication methods, and can quickly reduce the authority level of the third identity authentication method.

In one embodiment, a new second character encryption key may be generated at the same time as the new second character decryption key.

In one embodiment, a new first character decryption key can also be generated by using the first authentication encryption key corresponding to the first authentication decryption key to encrypt the new first character decryption key to obtain the first character decryption key. The new initial encrypted first role decryption key corresponding to the identity authentication method is used to delete the third identity authentication method from the digital identity.

FIG. 9 is a schematic flowchart of a key management method provided by another exemplary embodiment of the present application. The method in FIG. 9 may be executed by an electronic device, such as a mobile phone, and may be executed by a client corresponding to a digital identity on the electronic device. As shown in FIG. 9 , the key management method involves the process of changing the authority level of the third identity authentication method through the first identity authentication method, and specifically includes the following contents.

S910: Obtain a third authentication encryption key corresponding to the third identity authentication method.

For the generation and acquisition process of the third authentication encryption key, reference may be made to the generation and acquisition process of the second authentication encryption key in the embodiment of FIG. 5 . To avoid repetition, details are not described here.

S920: Decrypt the initially encrypted second role decryption key corresponding to the first identity authentication mode by using the first authentication decryption key to obtain the second role decryption key.

S930: Encrypt the second role decryption key with the third authentication encryption key to obtain the initially encrypted second role decryption key corresponding to the third identity authentication method, so as to increase the authority level of the third identity authentication method.

The digital identity includes at least a first identity authentication method and a third identity authentication method. The first identity authentication method corresponds to the first authority level among the multiple authority levels of the digital identity, and the third identity authentication method corresponds to the first authority level among the multiple authority levels. Three permission levels, the third permission level is lower than the first permission level, the first permission level has the permission to manage the assets corresponding to the first role and the second role in at least one role, and the third permission level has the permission to manage the assets corresponding to the first role. permissions.

The third authentication decryption key corresponds to the third authentication encryption key, and is used to decrypt the initially encrypted second role decryption key corresponding to the third identity authentication method to obtain the second role decryption key, the second role decryption key Corresponding to the second role, it is used to decrypt the encrypted second target key to obtain the second target key, and the second target key is used to manage the assets corresponding to the second role.

In this embodiment, the authority level of the third identity authentication method is improved through the first identity authentication method, which can make the management of all assets under the digital identity more flexible in each identity authentication method.

Exemplary device

FIG. 10 is a schematic structural diagram of a key management apparatus 1000 according to an exemplary embodiment of the present application. As shown in FIG. 10 , the apparatus 1000 includes: a first acquisition module 1010 and a first encryption module 1020 .

The first obtaining module 1010 is configured to obtain the authorization of the user through a first identity authentication method to generate a first authentication encryption key, wherein the first identity authentication method is used to log in a digital identity. The first encryption module 1020 is configured to encrypt at least one character decryption key by using the first authentication encryption key to obtain at least one initial encrypted character decryption key corresponding to the first identity authentication method, wherein the at least one character decryption key is the same as the At least one role of the digital identity is in one-to-one correspondence, and is used for decrypting at least one encrypted target key to obtain at least one target key.

An embodiment of the present application provides a key management device, which generates a first authentication encryption key corresponding to a first identity authentication method, and uses the first authentication encryption key to encrypt at least one character decryption key under a digital identity, Wherein, at least one role decryption key is used to decrypt the encrypted target key to obtain at least one target key, so that the identity authentication method can be associated with the target key, which facilitates the management and use of the target key.

According to an embodiment of the present invention, the apparatus 1000 further includes: a first generation module 1030, configured to generate a third storage key based on the identity authentication information corresponding to the first identity authentication method, and generate a first authentication encryption key corresponding to the first authentication encryption key. authentication and decryption key; the second encryption module 1040 is configured to encrypt the first authentication and decryption key by using the third storage key to obtain the encrypted first authentication and decryption key.

According to an embodiment of the present invention, the identity authentication information is non-public identity authentication information, wherein the first generation module 1030 is configured to generate a third storage password based on the non-public identity authentication information and the parent name of the user corresponding to the first identity authentication method key.

According to an embodiment of the present invention, the apparatus 1000 further includes: a sending module 1050, configured to submit the encrypted first authentication decryption key to the server, and submit at least one initial encryption role decryption key to the server.

According to an embodiment of the present invention, the apparatus 1000 further includes: a third encryption module 1060, configured to encrypt at least one target key by using at least one role encryption key to obtain at least one encrypted target key.

According to an embodiment of the present invention, the apparatus 1000 further includes: a storage module 1070, configured to store at least one encrypted target key locally.

According to an embodiment of the present invention, the apparatus 1000 further includes: a second generation module 1080, configured to randomly generate at least one character decryption key.

It should be understood that the first acquisition module 1010 , the first encryption module 1020 , the first generation module 1030 , the second encryption module 1040 , the sending module 1050 , the third encryption module 1060 , the storage module 1070 and the second generation module in the above embodiment For the operations and functions of 1080, reference may be made to the descriptions in the key management methods provided in the embodiments of FIG. 2 to FIG. 4, which are not repeated here to avoid repetition.

FIG. 11 is a schematic structural diagram of a key management apparatus 1100 provided by another exemplary embodiment of the present application. As shown in FIG. 11 , the apparatus 1100 includes: a first acquisition module 1110 , a second acquisition module 1120 , a first decryption module 1130 and a first encryption module 1140 .

The first obtaining module 1110 is configured to obtain the first authentication and decryption key corresponding to the first identity authentication method of the digital identity. The second obtaining module 1120 is configured to obtain the second authentication encryption key corresponding to the second identity authentication method to be added to the digital identity. The first decryption module 1130 is configured to decrypt the initially encrypted first character decryption key corresponding to the first identity authentication method by using the first authentication decryption key to obtain the first character decryption key. The first encryption module 1140 is configured to encrypt the first character decryption key by using the second authentication encryption key to obtain the initial encrypted first character decryption key corresponding to the second identity authentication method, wherein the first character decryption key is the same as the first character decryption key. The first role in the at least one role of the digital identity corresponds to the first role, and is used for decrypting the encrypted first target key to obtain the first target key.

The embodiment of the present application provides a key management device, which can implement classified management of keys and diversify the key management process by adding a second identity authentication method to a digital identity through a first identity authentication method.

According to an embodiment of the present invention, the first identity authentication method corresponds to the first authority level among the multiple authority levels of the digital identity, the second identity authentication method corresponds to the second authority level among the multiple authority levels, and the first authority level has management The authority of the asset corresponding to the first role, wherein the apparatus 1100 further includes: a first determination module 1150 for decrypting the initially encrypted first role corresponding to the first identity authentication method by using the first authentication decryption key in the first decryption module 1130 Before the key is decrypted, the second authority level of the second identity authentication method is determined.

According to an embodiment of the present invention, the first authority level is higher than the second authority level, the first authority level also has the authority to manage assets corresponding to the second role in at least one role, and the second authority level has the authority to manage the assets corresponding to the first role. permissions.

According to an embodiment of the present invention, the first permission level is equal to the second permission level, and the first permission level also has the permission to manage assets corresponding to the second role in at least one role, wherein the first decryption module 1130 is further configured to utilize the first The authentication decryption key decrypts the initially encrypted second character decryption key corresponding to the first identity authentication method to obtain the second character decryption key; the first encryption module 1140 is further configured to use the second authentication encryption key to decrypt the second character The decryption key is encrypted to obtain the initial encrypted second role decryption key corresponding to the second identity authentication method, wherein the second role decryption key corresponds to the second role and is used to decrypt the encrypted second target key , to obtain the second target key, the first target key is used to manage the assets corresponding to the first role, and the second target key is used to manage the assets corresponding to the second role.

According to an embodiment of the present invention, the first permission level is lower than the second permission level, and the second permission level has the permission to manage the assets corresponding to the first role and the second role in the at least one role, wherein the apparatus 1100 further includes: a first The generation module 1160 is used to generate the second character decryption key; the second encryption module 1170 is used to encrypt the second character decryption key by using the second authentication encryption key to obtain the initial encryption first corresponding to the second identity authentication method. Two-role decryption key, wherein the second role decryption key corresponds to the second role, and is used to decrypt the encrypted second target key to obtain the second target key, and the first target key is used for management Assets corresponding to the first role, and the second target key is used to manage the assets corresponding to the second role.

According to an embodiment of the present invention, the apparatus 1100 further includes: a first storage module 1180, configured to save the decryption key of the initial encrypted first role corresponding to the second identity authentication method to the server or the client corresponding to the second identity authentication method .

According to an embodiment of the present invention, the digital identity further includes a third identity authentication method. The first identity authentication method corresponds to the first authority level among the multiple authority levels of the digital identity, and the third identity authentication method corresponds to the first authority level among the multiple authority levels. Three permission levels, the third permission level is equal to or lower than the first permission level, and the third permission level has the permission to manage the assets corresponding to the first role and the second role in the at least one role, wherein the apparatus 1100 further includes: a first deletion The module 1181 is configured to delete the initially encrypted second role decryption key corresponding to the third identity authentication method, so as to reduce the authority level of the third identity authentication method.

According to an embodiment of the present invention, the first deletion module 1181 is further configured to delete the initially encrypted first character decryption key corresponding to the third identity authentication method, so as to delete the third identity authentication method from the digital identity.

According to an embodiment of the present invention, the digital identity further includes a third identity authentication method. The first identity authentication method corresponds to the first authority level among the multiple authority levels of the digital identity, and the third identity authentication method corresponds to the first authority level among the multiple authority levels. Three permission levels, the third permission level is equal to or lower than the first permission level, and the third permission level has the permission to manage the assets corresponding to the first role and the second role in the at least one role, wherein the apparatus 1100 further includes: a second generation The module 1182 is used to generate a new second character decryption key; the third encryption module 1183 is used to encrypt the new second character decryption key using the first authentication encryption key corresponding to the first authentication decryption key, Obtain a new initial encrypted second role decryption key corresponding to the first identity authentication method to reduce the authority level of the third identity authentication method, wherein the new second role decryption key corresponds to the second role and is used to encrypt The second target key is decrypted to obtain the second target key, the first target key is used to manage the assets corresponding to the first role, and the second target key is used to manage the assets corresponding to the second role.

According to an embodiment of the present invention, the second generation module 1182 is further configured to generate a new first character decryption key; the third encryption module 1183 is further configured to use the first authentication encryption key corresponding to the first authentication decryption key to pair the new Encrypt the first character decryption key of the first identity authentication method to obtain a new initial encrypted first character decryption key corresponding to the first identity authentication method, so as to delete the third identity authentication method from the digital identity.

According to an embodiment of the present invention, the digital identity further includes a third identity authentication method. The first identity authentication method corresponds to the first authority level among the multiple authority levels of the digital identity, and the third identity authentication method corresponds to the first authority level among the multiple authority levels. Three permission levels, the third permission level is lower than the first permission level, the first permission level has the permission to manage the assets corresponding to the first role and the second role in at least one role, and the third permission level has the permission to manage the assets corresponding to the first role. The device 1100 further includes: a third obtaining module 1184, configured to obtain a third authentication encryption key corresponding to the third identity authentication method, wherein the first decryption module 1130 is further configured to use the first authentication decryption key pair Decrypt the initially encrypted second role decryption key corresponding to the first identity authentication method to obtain the second role decryption key; the fourth encryption module 1185 is used to encrypt the second role decryption key with the third authentication encryption key , and obtain the initial encrypted second role decryption key corresponding to the third identity authentication method, so as to improve the authority level of the third identity authentication method, wherein the second role decryption key corresponds to the second role, and is used for encrypting the encrypted first The second target key is decrypted to obtain the second target key, the first target key is used to manage the assets corresponding to the first role, and the second target key is used to manage the assets corresponding to the second role.

It should be understood that the first obtaining module 1110, the second obtaining module 1120, the first decryption module 1130, the first encryption module 1140, the first determination module 1150, the first generation module 1160, the second encryption module 1170, The operations and functions of the first storage module 1180 , the first deletion module 1181 , the second generation module 1182 , the third encryption module 1183 , the third acquisition module 1184 and the fourth encryption module 1185 may refer to the above-mentioned embodiments in FIGS. 5 to 9 . The description in the provided key management method is not repeated here in order to avoid repetition.

FIG. 12 is a block diagram of an electronic device 1200 for key management provided by an exemplary embodiment of the present application.

12, an electronic device 1200 includes a processor 1210, and a memory resource represented by a memory 1220 for storing instructions executable by the processor 1210, such as an application program. An application program stored in memory 1220 may include one or more modules, each corresponding to a set of instructions. Furthermore, the processor 1210 is configured to execute instructions to perform the above-described key management method.

The electronic device 1200 may also include a power supply assembly configured to perform power management of the electronic device 1200, a wired or wireless network interface configured to connect the electronic device 1200 to a network, and an input output (I/O) interface. Electronic device 1200 may be operated based on an operating system stored in memory 1220, such as Windows Server ^™ , Mac OS X ^™ , Unix ^™ , Linux ^™ , FreeBSD ^™ or the like.

A non-transitory computer-readable storage medium, when the instructions in the storage medium are executed by the processor of the electronic device 1200, the electronic device 1200 can execute a key management method. The key management method includes: obtaining a user's authorization through a first identity authentication method to generate a first authentication encryption key, wherein the first identity authentication method is used to log in a digital identity; using the first authentication encryption key to pair at least one The character decryption key is encrypted to obtain at least one initial encrypted character decryption key corresponding to the first identity authentication method, wherein the at least one character decryption key is in one-to-one correspondence with at least one character of the digital identity, and is used to encrypt the at least one encrypted character. The target key is decrypted to obtain at least one target key. Alternatively, the key management method includes: obtaining a first authentication and decryption key corresponding to a first identity authentication method of a digital identity; obtaining a second authentication and encryption key corresponding to a second identity authentication method to be added to the digital identity; The authentication decryption key decrypts the initially encrypted first role decryption key corresponding to the first identity authentication method to obtain the first role decryption key; the second authentication encryption key is used to encrypt the first role decryption key to obtain the first role decryption key. The initial encrypted first character decryption key corresponding to the two-identity authentication method, wherein the first character decryption key corresponds to the first character in at least one character of the digital identity, and is used to decrypt the encrypted first target key , to get the first target key.

All the above-mentioned optional technical solutions can be combined arbitrarily to form optional embodiments of the present invention, which will not be repeated here.

Those of ordinary skill in the art can realize that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may use different methods of implementing the described functionality for each particular application, but such implementations should not be considered beyond the scope of the present invention.

Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the system, device and unit described above may refer to the corresponding process in the foregoing method embodiments, which will not be repeated here.

In the several embodiments provided in this application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.

In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.

The functions, if implemented in the form of software functional units and sold or used as independent products, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage media include: U disk, mobile hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or CD, etc. that can store program check codes medium.

It should be noted that, in the description of the present invention, the terms "first", "second", "third", etc. are only used for the purpose of description, and should not be construed as indicating or implying relative importance. Also, in the description of the present invention, unless otherwise specified, "plurality" means two or more.

The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, etc. made within the spirit and principles of the present invention shall be included in the protection scope of the present invention. within.

Claims

A key management method, comprising:

Obtain the user's authorization through a first identity authentication method to generate a first authentication encryption key, wherein the first identity authentication method is used to log in to a digital identity;

Encrypt at least one character decryption key by using the first authentication encryption key to obtain at least one initial encrypted character decryption key corresponding to the first identity authentication method, wherein,

The at least one character decryption key is in one-to-one correspondence with at least one character of the digital identity, and is used to decrypt at least one encrypted target key to obtain at least one target key.
The key management method according to claim 1, further comprising:

generating a third storage key based on the identity authentication information corresponding to the first identity authentication method;

generating a first authentication decryption key corresponding to the first authentication encryption key;

The first authentication and decryption key is encrypted by using the third storage key to obtain an encrypted first authentication and decryption key.
The key management method according to claim 2, wherein the identity authentication information is non-public identity authentication information, wherein the third storage key is generated based on the identity authentication information corresponding to the first identity authentication method. keys, including:

The third storage key is generated based on the non-public identity authentication information and the parent name of the user corresponding to the first identity authentication method.
The key management method according to claim 2, further comprising:

Submitting the encrypted first authentication decryption key to the server;

Submitting the at least one initial encryption role decryption key to the server.
The key management method according to claim 2, further comprising:

The at least one target key is encrypted by using at least one role encryption key, respectively, to obtain the at least one encrypted target key.
The key management method according to claim 5, further comprising:

The at least one encrypted target key is stored locally.
The key management method according to any one of claims 1 to 6, further comprising:

The at least one character decryption key is randomly generated.
The key management method according to any one of claims 1 to 7, further comprising:

obtaining a first authentication decryption key corresponding to the first identity authentication method of the digital identity;

obtaining the second authentication encryption key corresponding to the second identity authentication method to be added to the digital identity;

Use the first authentication decryption key to decrypt the initially encrypted first character decryption key corresponding to the first identity authentication mode to obtain the first character decryption key;

The first character decryption key is encrypted by using the second authentication encryption key to obtain the initially encrypted first character decryption key corresponding to the second identity authentication method, wherein,

The first character decryption key corresponds to the first character in the at least one character of the digital identity, and is used to decrypt the encrypted first target key to obtain the first target key.
The key management method according to claim 8, wherein the first identity authentication method corresponds to a first authority level among multiple authority levels of the digital identity, and the second identity authentication method corresponds to the The second authority level among the plurality of authority levels, the first authority level has the authority to manage the assets corresponding to the first role, wherein,

Before using the first authentication decryption key to decrypt the initially encrypted first character decryption key corresponding to the first identity authentication method, the key management method further includes:

A second authority level of the second identity authentication method is determined.
The key management method according to claim 9, wherein the first permission level is higher than the second permission level, and the first permission level further has a second role in managing the at least one role The authority corresponding to the asset, and the second authority level has the authority to manage the asset corresponding to the first role.
The key management method according to claim 9, wherein the first permission level is equal to the second permission level, and the first permission level further has a corresponding second role in managing the at least one role Asset rights, wherein the key management method further includes:

Use the first authentication decryption key to decrypt the initially encrypted second role decryption key corresponding to the first identity authentication mode to obtain the second role decryption key;

Encrypt the second character decryption key by using the second authentication encryption key to obtain the initially encrypted second character decryption key corresponding to the second identity authentication method, wherein,

The second role decryption key corresponds to the second role, and is used to decrypt the encrypted second target key to obtain a second target key, and the first target key is used to manage the Assets corresponding to the first role, and the second target key is used to manage the assets corresponding to the second role.
The key management method according to claim 9, wherein the first permission level is lower than the second permission level, and the second permission level has the ability to manage the first role and the at least one role The second role in the corresponding asset authority, wherein, the key management method further includes:

Generate the second character decryption key;

Encrypt the second character decryption key by using the second authentication encryption key to obtain the initially encrypted second character decryption key corresponding to the second identity authentication method, wherein,

The second role decryption key corresponds to the second role, and is used to decrypt the encrypted second target key to obtain a second target key, and the first target key is used to manage the Assets corresponding to the first role, and the second target key is used to manage the assets corresponding to the second role.
The key management method according to claim 8, wherein the digital identity further comprises a third identity authentication method, and the first identity authentication method corresponds to a first authority among multiple authority levels of the digital identity level, the third identity authentication method corresponds to a third authority level among the plurality of authority levels, the third authority level is equal to or lower than the first authority level, and the third authority level has the ability to manage the The permissions of the assets corresponding to the first role and the second role in the at least one role, wherein,

The key management method further includes:

Deleting the initially encrypted second role decryption key corresponding to the third identity authentication method to reduce the authority level of the third identity authentication method,

Alternatively, the key management method further includes:

Generate a new second character decryption key;

Encrypt the new second role decryption key by using the first authentication encryption key corresponding to the first authentication decryption key to obtain a new initial encrypted second role corresponding to the first identity authentication method A decryption key to lower the authority level of the third identity authentication method, wherein the new second role decryption key corresponds to the second role and is used to decrypt the encrypted second target key to obtain a second target key, where the first target key is used to manage the assets corresponding to the first role, and the second target key is used to manage the assets corresponding to the second role.
The key management method according to claim 8, wherein the digital identity further comprises a third identity authentication method, and the first identity authentication method corresponds to a first authority among multiple authority levels of the digital identity level, the third identity authentication method corresponds to a third authority level among the plurality of authority levels, the third authority level is lower than the first authority level, and the first authority level has the ability to manage the first authority level. The role and the permission of the asset corresponding to the second role in the at least one role, the third permission level has the permission to manage the asset corresponding to the first role, wherein the key management method further includes:

obtaining a third authentication encryption key corresponding to the third identity authentication method;

Use the first authentication decryption key to decrypt the initially encrypted second role decryption key corresponding to the first identity authentication mode to obtain the second role decryption key;

The second role decryption key is encrypted by using the third authentication encryption key to obtain the initially encrypted second role decryption key corresponding to the third identity authentication method, so as to improve the performance of the third identity authentication method. permission level, where,

The second role decryption key corresponds to the second role, and is used to decrypt the encrypted second target key to obtain a second target key, and the first target key is used to manage the Assets corresponding to the first role, and the second target key is used to manage the assets corresponding to the second role.
A key management method, comprising:

Obtain the first authentication decryption key corresponding to the first identity authentication method of the digital identity;

obtaining the second authentication encryption key corresponding to the second identity authentication method to be added to the digital identity;

Use the first authentication decryption key to decrypt the initially encrypted first character decryption key corresponding to the first identity authentication mode to obtain the first character decryption key;

The first character decryption key is encrypted by using the second authentication encryption key to obtain the initially encrypted first character decryption key corresponding to the second identity authentication method, wherein,

The first character decryption key corresponds to the first character in at least one character of the digital identity, and is used to decrypt the encrypted first target key to obtain the first target key.
The key management method according to claim 15, wherein the first identity authentication method corresponds to a first authority level among multiple authority levels of the digital identity, and the second identity authentication method corresponds to the The second authority level among the plurality of authority levels, the first authority level has the authority to manage the assets corresponding to the first role, wherein,

Before using the first authentication decryption key to decrypt the initially encrypted first character decryption key corresponding to the first identity authentication method, the key management method further includes:

A second authority level of the second identity authentication method is determined.
The key management method according to claim 16, wherein the first permission level is higher than the second permission level, and the first permission level further has a second role in managing the at least one role The authority corresponding to the asset, and the second authority level has the authority to manage the asset corresponding to the first role.
The key management method according to claim 16, wherein the first permission level is equal to the second permission level, and the first permission level further has a second role corresponding to the management of the at least one role. Asset rights, wherein the key management method further includes:

Use the first authentication decryption key to decrypt the initially encrypted second role decryption key corresponding to the first identity authentication mode to obtain the second role decryption key;

Encrypt the second character decryption key by using the second authentication encryption key to obtain the initially encrypted second character decryption key corresponding to the second identity authentication method, wherein,

The second role decryption key corresponds to the second role, and is used to decrypt the encrypted second target key to obtain a second target key, and the first target key is used to manage the Assets corresponding to the first role, and the second target key is used to manage the assets corresponding to the second role.
The key management method according to claim 16, wherein the first permission level is lower than the second permission level, and the second permission level has the ability to manage the first role and the at least one role The second role in the corresponding asset authority, wherein, the key management method further includes:

Generate the second character decryption key;

Encrypt the second character decryption key by using the second authentication encryption key to obtain the initially encrypted second character decryption key corresponding to the second identity authentication method, wherein,

The second role decryption key corresponds to the second role, and is used to decrypt the encrypted second target key to obtain a second target key, and the first target key is used to manage the Assets corresponding to the first role, and the second target key is used to manage the assets corresponding to the second role.
The key management method according to claim 15, wherein the digital identity further comprises a third identity authentication method, and the first identity authentication method corresponds to a first authority among multiple authority levels of the digital identity level, the third identity authentication method corresponds to a third authority level among the plurality of authority levels, the third authority level is equal to or lower than the first authority level, and the third authority level has the ability to manage the the permissions of the assets corresponding to the first role and the second role in the at least one role, wherein,

The key management method further includes:

Deleting the initially encrypted second role decryption key corresponding to the third identity authentication method to reduce the authority level of the third identity authentication method,

Alternatively, the key management method further includes:

Generate a new second character decryption key;

Encrypt the new second character decryption key by using the first authentication encryption key corresponding to the first authentication decryption key to obtain a new initial encrypted second character decryption key corresponding to the first identity authentication method key to reduce the authority level of the third identity authentication method, wherein the new second role decryption key corresponds to the second role, and is used to decrypt the encrypted second target key to A second target key is obtained, where the first target key is used to manage the asset corresponding to the first role, and the second target key is used to manage the asset corresponding to the second role.
The key management method according to claim 15, wherein the digital identity further comprises a third identity authentication method, and the first identity authentication method corresponds to a first authority among multiple authority levels of the digital identity level, the third identity authentication method corresponds to a third authority level among the plurality of authority levels, the third authority level is lower than the first authority level, and the first authority level has the ability to manage the first authority level. The role and the permission of the asset corresponding to the second role in the at least one role, the third permission level has the permission to manage the asset corresponding to the first role, wherein the key management method further includes:

obtaining a third authentication encryption key corresponding to the third identity authentication method;

Use the first authentication decryption key to decrypt the initially encrypted second role decryption key corresponding to the first identity authentication method to obtain the second role decryption key;

The second role decryption key is encrypted by using the third authentication encryption key to obtain the initially encrypted second role decryption key corresponding to the third identity authentication method, so as to improve the performance of the third identity authentication method. permission level, where,

The second role decryption key corresponds to the second role, and is used to decrypt the encrypted second target key to obtain a second target key, and the first target key is used to manage the Assets corresponding to the first role, and the second target key is used to manage the assets corresponding to the second role.
A key management device, comprising:

a first obtaining module, configured to obtain a user's authorization through a first identity authentication method to generate a first authentication encryption key, wherein the first identity authentication method is used to log in to a digital identity;

a first encryption module, configured to encrypt at least one character decryption key by using the first authentication encryption key to obtain at least one initial encrypted character decryption key corresponding to the first identity authentication method, wherein,

The at least one character decryption key is in one-to-one correspondence with at least one character of the digital identity, and is used for decrypting at least one encrypted target key to obtain at least one target key.
A key management device, comprising:

a first obtaining module, configured to obtain a first authentication decryption key corresponding to a first identity authentication method of the digital identity;

a second obtaining module, configured to obtain a second authentication encryption key corresponding to the second identity authentication method to be added to the digital identity;

a first decryption module, configured to decrypt the initially encrypted first character decryption key corresponding to the first identity authentication mode by using the first authentication decryption key to obtain the first character decryption key;

a first encryption module, configured to encrypt the first character decryption key by using the second authentication encryption key to obtain an initially encrypted first character decryption key corresponding to the second identity authentication method, wherein,

The first character decryption key corresponds to the first character in at least one character of the digital identity, and is used for decrypting the encrypted first target key to obtain the first target key.
An electronic device comprising:

processor;

A memory, wherein the memory is used to store instructions executable by the processor which, when executed by the processor, cause the processor to perform the encryption of any one of claims 1 to 21 key management method.
A computer-readable storage medium comprising computer instructions stored thereon, the computer instructions, when executed by a processor, cause the processor to perform the key management method of any one of claims 1 to 21 .